Security Audit

codex-cli

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

codex-cli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Direct Command Execution via `exec` tool, Subagent Configured with Excessive Tool Permissions.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Direct Command Execution via `exec` tool The skill explicitly instructs Clawdbot to use its `exec` tool to invoke the `codex` CLI. The `codex` tool is an AI agent designed to perform coding tasks, which inherently involves executing shell commands, modifying files, and interacting with the system. When `codex` is run with flags like `--full-auto` (as demonstrated in the skill) or in 'Full Access' mode, it can execute arbitrary commands on the host system without further user confirmation. This creates a severe command injection risk if the input prompt provided to `codex` (e.g., from an untrusted user) leads it to execute malicious commands. Implement strict input validation and sanitization for any user-provided input passed to `codex exec`. Avoid `--full-auto` in production or untrusted environments. Consider using a more restricted sandbox for `codex` execution and implement explicit approval steps for sensitive operations.	LLM	SKILL.md:100
HIGH	Subagent Configured with Excessive Tool Permissions The skill's 'Subagent Delegation' pattern provides a configuration for a `coder` subagent that explicitly allows an overly broad set of tools: `["exec", "read", "write", "edit", "apply_patch", "process"]`. This grants the subagent extensive capabilities to interact with the filesystem and execute arbitrary commands, which could be exploited if the subagent's prompts are compromised or if it makes an erroneous decision, leading to data loss, unauthorized access, or system compromise. Restrict subagent tool access to the absolute minimum necessary for its function. Avoid granting `exec` or broad write/edit permissions unless strictly required and with robust sandboxing. Implement explicit approval mechanisms for sensitive operations performed by the subagent.	LLM	SKILL.md:116

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/cce413c38c541623.svg)](https://skillshield.io/report/cce413c38c541623)